Couldn't install the starter kit - I'm getting (403) Forbidden error

[muges01]

Hi,

I'm trying to install the new SharePoint Starter Kit in my tenant but i'm getting 403 error. Can you anyone please guide me on installing this starter kit.

Category

• [ ] Question
• [X] Bug
• [ ] Enhancement

Expected or Desired Behavior

Expecting to install the SharePoint starter kit in my tenant.

Observed Behavior

I'm getting 'The remote server returned an error: (403) Forbidden.' error when i run the following Powershell command

'Apply-PnPProvisioningHierarchy -Path starterkit.pnp -Parameters @{"SiteUrlPrefix"="demo_"}'

Note: I'm using a global administrator credential (MSA enabled account) to run the powershell.

Steps to Reproduce

1. Open SharePoint Online Management Powershell
2. Run 'Connect-PnPOnline [Tenant URL] -UseWebLogin'
3. Enter the user credential which has global administrator access
4. Run 'Apply-PnPProvisioningHierarchy -Path starterkit.pnp -Parameters @{"SiteUrlPrefix"="demo_"}'

Note: I'm using the 'PnP PowerShell for SharePoint Online' version '3.2.1810.0'

Thank you in advance.

[muges01]

Additional Observed Behavior

I have tested this on a tenant which don't have MSA enable and it is working fine.

Looks like the issue is with the tenant which has the MSA enabled.

Thank you

[ZGremlin]

Looking for an update on this, encountering the same issue.

[michaelmaillot]

Same issue for me too, Worse than that : I tried to apply the starter kit in a new Office 365 tenant (created with the developer program, so without MSA enabled) and I have the same behavior...

[muges01]

Anybody found any solution for this issue yet?

[ZGremlin]

Anybody found any solution for this issue yet?

Unfortunately, no. Nothing yet.

[muges01]

Thank you @JeremySColeman I hope someone will be able to help us here. It's looks like something to do with MSA enabled environment.

[muges01]

Hi @VesaJuvonen

I have run the script again and this is the exception details

Please let me know, if you need any further information.

[VesaJuvonen]

Hi @muges01 - this indicates either two things. You do not have app catalog created in your tenant OR you do not have site collection administrator permissions in the app catalog for some reason. Can you check those. Thx.

[michaelmaillot]

Hi @VesaJuvonen

I have the same error as @muges01 despite the fact that I am administrator (both site collection and tenant) and I have an App Catalog...

[muges01]

Hi @VesaJuvonen,

I have checked the two things that you have asked me clarify.

1. I have app catalog and i have uploaded other SPFx solution to the app catalog successfully
2. I have site collection administrator permission on App catalog site

Please let me know, if you need any other details.

Thank you

[muges01]

thank you @michaelmaillot for info

[ZGremlin]

Hi @muges01 - this indicates either two things. You do not have app catalog created in your tenant OR you do not have site collection administrator permissions in the app catalog for some reason. Can you check those. Thx.

@VesaJuvonen In my case I am not only a Global Admin but also an explicit Site Collection administrator for all collections on the tenant. Our App Catalog is several years old and has several apps installed. Additionally I verified that I am an Term Store admin and the user profile attribute was created prior to testing.

I tested with my admin account as well as with the default tenant admin account, no luck.

Thanks for the assistance!

[VesaJuvonen]

@muges01 - Can you test following - ensure that you do not have the sppkg file in the app catalog... so delete if it's there. Try re-installation. Share the app catalog status and if the sppkg file is now there.

@JeremySColeman - Can you share the exception details what you get... or is that the same as what was already mentioned above.

Thx.

[muges01]

Hi @VesaJuvonen ,

Sorry for the delay, I have checked my app catalog and there is no sppkg file been deployed.

Thank you

[erwinvanhunen]

Hi @muges01 To make sure we can (from code) actually resolve the URL of the appcatalog, can you in PowerShell execute the following cmdlet:

Get-PnPTenantAppCatalogUrl

It should return the url to your appcatalog site.

[muges01]

Hi @erwinvanhunen ,

Here is the url of my app catalog https://[tenant].sharepoint.com/sites/appcatalog

Thank you

[ZGremlin]

@muges01 - Can you test following - ensure that you do not have the sppkg file in the app catalog... so delete if it's there. Try re-installation. Share the app catalog status and if the sppkg file is now there.

@JeremySColeman - Can you share the exception details what you get... or is that the same as what was already mentioned above.

Thx.

The exception I get is identical to the original post screenshot

[muges01]

Hi @VesaJuvonen,

Any updates regarding this issue?

Thank you in advanced

[MortenPedersenDK]

Hi @VesaJuvonen

I have the same issue. If its any help, - it seems that the 403 comes from a POST to /_vti_bin/sites.asmx method GetUpdatedFormDigestInformation ?

Thanks :-)

[muges01]

Hi guys,

Any updates on this issue? It's been so long, any suggestion for work around will be good as well.

[MortenPedersenDK]

I noticed that Apply-PnPProvisioningHierarchy has been deprecated. So I tried Apply-PnPTenantTemplate instead, but with same outcome. 403 on POST to /_vti_bin/sites.asmx.

[muges01]

hi @VesaJuvonen,

Is there any update on this issue?

[tbennett122]

Any update on this? I've received both 401 and 403 errors.

[erwinvanhunen]

We are trying to repro this. Anyone up for a remote desktop session where we look into your issue from a debug side of the story?

[maxali]

We are trying to repro this. Anyone up for a remote desktop session where we look into your issue from a debug side of the story?

@erwinvanhunen I am getting this now. Can do RD session.

[muges01]

@erwinvanhunen I also can do screen share session as well.

[maxali]

Using App Password works fine. Ex: Connect-PnPOnline -Url $tenant-admin.sharepoint.com -Credentials (Get-Credential) and use your App Password

I get (403) Forbidden when I connect using Connect-PnPOnline -UseWebLogin

And (401) Unauthorized when I connect using Connect-PnPOnline -AppId $appId -AppSecret $appSecret

I am guessing that the token returned from ... -UseWebLogin request is connected to $tenant-admin.sharepoint.com and can not be used for SPWebs in <SiteCollections> node.

[muges01]

Hi @maxali,

So if we use the app password, we should be able to install the starter kit without any issue. Is that correct?

[maxali]

Hi @maxali,

So if we use the app password, we should be able to install the starter kit without any issue. Is that correct?

It seems so @muges01 . I got it working with App Password.

[muges01]

Hi @maxali ,

I tried to use the App Password i'm not getting 403 Forbidden error anymore but i i'm getting the following error

What am i missing here?

[erwinvanhunen]

@muges01 Can you send me private message on https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/122 so we can setup a time and date for the screensharing?

[muges01]

Hi @erwinvanhunen ,

I have send you private message as requested.

Thank you

[jcoleman-pcprofessional]

Verified working for me as of 12/13/18

[muges01]

Hi @erwinvanhunen ,

Did you get my message? When is the best time for us to do the screen share. Any help will be appreciated.

I get the latest package from git hub today and when i try to install i was getting the following errors:

Observation

I check the tenant and i found that:

SharePoint Starter kit client site package is installed

The Consoto Electronic (.../sites/demo_portal) and Human Resource (.../sites/demo_hr) are created with the default template no site design or content is added to these sites The Human Resource group is created

The site scripts and site designs allow been added to the tenant but not used on the sites

[westerdaled]

I am also seeing the 403 error for the first time on a ( non-developer ) tenant with 2-factor enabled.

• First Release only just switched from selected users to the entire tenant
• -user WebLogin dialog doesn't get invoked for user input as I am within the "30 day don't ask again" cached credential window
• The supplied starterkit.pnp App does not deploy to the app catalogue ( see attachment) . This might be related to the 403 issue. Could somebody please explain this error and why I am not seeing the correct app version

I have successfully run the same script and version of the staterkit.pnp against a dev tenant last week without 2-factor enabled.

[muges01]

Any updates?

[ozippy]

I am also getting this issue. I have tried it on multiple tenants.

[ozippy]

If I disable MFA for my account and use the -UseWebLogin for the Connect, it still fails with 403.

If i change it to use -Credentials (stored in credential manager) it then works. So it seems to be something to do with the -UseWebLogin. I can't turn off MFA on my other tenants, so it would be nice to get it working.

Thanks

[westerdaled]

@ozippy you are spot on. I figured out that it was a MFA issue and was waiting for a "breaking glass" account to test in a client's tenant. I have since tested on another tenant with MFA enabled, with MFA then disabled - happy days 😊. As shown above, I wasn't able to upload the app to the app store so this appears to be the deal breaker with MFA enabled. Happy to repeat any tests on my tenant if this helps diagnose the problem.

[Nickens]

I also have the same problem on a tenant with mfa activated. It works with other pnp-commands but not the Apply-PnPTenantTemplate. Works good on my other developer tenants without mfa activated.

[westerdaled]

@erwinvanhunen, @VesaJuvonen , from the above it looks the #179 is still open and many of us still cannot deploy to a tenant with a GA with MFA enabled - switch to a GA without MFA and happy days 😊 . The issues include:

• Can't manually upload the app to the app catalogue (in my case)
• The 403 error, when running Apply-PnPTenantTemplate

is there anything we can do to help?

[Nickens]

@erwinvanhunen

If this helps. Partly in Swedish :-)

PS C:\Repos\sp-starter-kit-dev\provisioning> Get-PnPException Message : The remote server returned an error: (403) Forbidden. Stacktrace : vid System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) vid System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.SPWebRequestExecutor.<ExecuteAsync>d__0.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<GetFormDigestInfoPrivateAsync>d__b.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<EnsureFormDigestAsync>d__8.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<ExecuteQueryAsync>d__4.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__7.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__7.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientObjectExtensions.<EnsurePropertiesImplementation>d__81.MoveNext() --- Slut på stackspårningen från föregående plats där ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientObjectExtensions.EnsureProperties[T](T clientObject, Expression1[] propertySelector) vid OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.TokenParser..ctor(Tenant tenant, ProvisioningHierarchy hierarchy, ProvisioningTemplateApplyingInformation applyingInformation) vid OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.ApplyProvisioningHierarchy(Tenant tenant, ProvisioningHierarchy hierarchy, String sequenceId, ProvisioningTemplateApplyingInformation provisioningInfo ) vid SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate.ExecuteCmdlet() vid SharePointPnP.PowerShell.Commands.PnPCmdlet.ProcessRecord() ScriptLineNumber : 1

[bazookadaver]

I was having this issue, and I was able to temporarily do the following in order to get this to work

• Made sure to disable MFA on the Global Admin (GA) you are using
• Made sure to add the GA to the exception list in Azure AD for the default conditional access Policy "Baseline policy: Require MFA for admins (Preview)"
• in Sharepoint Admin (modern), under Access Control, be sure to Allow Access for "Apps that don't use modern authentication" (could take up to 24 hours for this change to propagate).
• Don't login using the -useweblogin parameter. Only run Connect-PnPOnline https://contos0.sharepoint.com

[dsweb329]

@maxali - Thanks for the tip. It works for me. As you mentioned, if MFA is enabled on the Global Admin account it does not work (I only have one licensed user but if you another licensed account that does not have MFA enabled that should work as well). I received the "403 Forbidden" message upon executing the following PS command: Apply-PnPTenantTemplate -Path starterkit.pnp -Parameters @{"SiteUrlPrefix"="demo"}. However, if you use your App Password it worked as expected. Do not use the switch -UseWebLogin instead use CONNECT-PNPONLINE -URL "YOUR URL" -CREDENTIALS (GET-CREDENTIAL) Here are the steps to create your App Password if you haven't done so already- https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183

Thanks @maxali !

[maxali]

Happy to see it working for you @dsweb329

Here are some steps I use to simplify the process:

1. Go to AppPasswords link: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

2. You can then store your password in Windows Credential Manager. Here is PnP command to do it:

   Add-PnPStoredCredential -Name mycredential -Username contosoadmin@contoso.onmicrosoft.com -Password (ConvertTo-SecureString -String "mycontosopass" -AsPlainText -Force)

3. Use the saved credentials whenever you try to login to pnp:

   Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials mycredential

[Nickens]

What to do if we can't turn off mfa?

[jonathanhotono]

Trying to use without -UseWebLogin produces error this following on my end:

[paSPteam]

What to do if we can't turn off mfa?

I'm having the same issue with applying theme colours. I just can't authenticate. No, I can't turn off MFA, I'm not in charge of that.

I've tried: 1) Windows credential manager 2) -UseWebLogin 3) -AppId & -AppSecret (app password)

Any other suggestions for being able to authenticate??

[svest79]

Same boat here. Have a client that has to use MFA. We are trying to loop through all sites and apply a template, but we get the same error. I have also tried

1. Credential Manager
2. UseWebLogin
3. -PnPO365ManagementShell

Any help would be appreciated.

[westerdaled]

This issue seems to keep haunting me. Can deploy the StarterKit via the Provisioning service without any issues with my GA MFA account. So does it create an AppId and Appsecret in the background? I can connect to modern comms site Connect-PnPOnline -Url $SourceSiteUrl -UseWebLogin Then at the site collection level just attempt deploy the bits of the starter kit that support say PnPAlerts

Apply-PnPProvisioningTemplate -path .\my-provisioningTemplate.xml This deploys lists , Content types and app customizers but even with a Alert item added .. No alerts 😢.

Ok, thought I would use the orginal deployment script as I must be missing a dependency.

`Connect-SPOService -Url $adminSiteUrl -UseWebLogin Apply-PnPTenantTemplate -Path starterkit.pnp -Parameters @{"PORTALURL"="/sites/DansFabDemo"; "MARKETINGALIAS"="demomarketing"; "HRALIAS"="demohr" } -Handlers Lists Apply-PnPTenantTemplate : The remote server returned an error: (403) Forbidden. At line:1 char:1

• Apply-PnPTenantTemplate -Path starterkit.pnp -Parameters @{"PORTALURL ...

• 
  + CategoryInfo          : NotSpecified: (:) [Apply-PnPTenantTemplate], WebException
  + FullyQualifiedErrorId : System.Net.WebException,SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate
  `
  Hmmmmm remember this the same account as used in the provisioning service . 
  My next approach is to configure a MFA exception in the Azure: conditional access as per the above recommendations.  I have configured my account as an exclusion but there seems to be a delay before this setting is enabled.